Cybersecurity for Federal Contractors in a Time of Divided Government
The recent cyberattack against the U.S. Office of Personnel Management highlights the vulnerability of public IT systems and the urgent need to protect those systems and the sensitive government data that resides there. According to reports, at least 3 million federal employees’ private data was compromised–but the scope of the attack may have been much broader and deeper. Before the dust settled on that cyberattack, the U.S. Army website was hacked by a group of Syrians. Before that, the White House website was hacked. And the list goes on.
Through it all, Congress has seen fit to pass . . . nothing? Truth be told, the House already passed different versions of a cybersecurity information sharing bill that easily cleared the Senate Intelligence Committee but now appears to be stalled on the Hill. Gridlock in Washington is nothing new, but in the meantime, what steps should federal contractors be taking to protect sensitive government information?
There are multiple sources for cybersecurity controls in the federal sector. The Federal Information Security Management Act of 2002. The Federal Risk and Authorization Management Program. The National Institute of Statistics and Technology Cybersecurity Framework. The DFARS has specific requirements that are mandated to be in all defense contracts. Even though that DFARS clause, 252.204-7012 was issued in November 2013, according to a recent DOD Memorandum and attached scorecard, there are currently no defense components that have fully complied with that mandate. In fact, the current scorecard for the second quarter of 2015 shows that the U.S. Army has only included that DFARS provision in 41% of contracts and solicitations. There is no doubt that the Army and other defense agencies can and should do a better job. But contractors have a role to play as well.
Even when the DFARS clause has been omitted, as it has in 59% of current Army contracts, defense contractors should treat their contracts as if the clause is included. They should engage the Government proactively to modify their contracts to fully comply, and they should implement the measures required by the omitted clause to protect the sensitive data and their systems. The other option is to bury your head in the sand and hope that your system is not hacked and the government data is not compromised. Of course, hope is not really an option. What about the extra costs associated with the added controls required by DFARS 252.204-7012? Those should be paid by your government customer through a change order or contract modification.
When it comes to cybersecurity, federal contractors and government agencies are very much partners. And partnerships work best when partners communicate openly with one another. So, when a required clause gets omitted from your contract, don’t cross your fingers and hope nothing happens to the sensitive data that has been entrusted to you by your partner. Speak up!